Closed
Bug 692506
Opened 13 years ago
Closed 13 years ago
Regression in SVG content generated via DOMParser.parseFromString() in FF7
Categories
(Core :: SVG, defect, P1)
Core
SVG
Tracking
()
VERIFIED
FIXED
mozilla10
People
(Reporter: jeffharris, Assigned: bzbarsky)
References
Details
(Keywords: regression, Whiteboard: [qa!])
Attachments
(3 files)
808 bytes,
text/html
|
Details | |
466 bytes,
text/html
|
Details | |
4.16 KB,
patch
|
dholbert
:
review+
asa
:
approval-mozilla-aurora+
asa
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.81 Safari/535.2 Steps to reproduce: Open the attached svg_image_test.html file Actual results: Nothing is displayed Expected results: The Google logo should be displayed. This is a regression. Works fine in FF6, Chrome 15, Safari 5.1, IE9
Assignee | ||
Updated•13 years ago
|
Attachment #565271 -
Attachment mime type: text/plain → text/html
Updated•13 years ago
|
Product: Firefox → Core
QA Contact: general → general
See also bug 692089
Assignee | ||
Comment 2•13 years ago
|
||
The behavior changed in this checkin range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=549e3276ed25&tochange=4e3b03de1fd3 The fix for bug 552605 is in that range. Joe, could that be causing problems here?
Assignee | ||
Updated•13 years ago
|
Component: General → ImageLib
QA Contact: general → imagelib
Updated•13 years ago
|
Assignee: nobody → dholbert
Comment 3•13 years ago
|
||
AFAICT no images are involved here, just raw SVG content generated via DOMParser() (which I'm not familiar with). Shifting to Core:SVG, and changing branch to "Trunk" as I can reproduce (testcase is blank) in today's nightly: Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111005 Firefox/10.0a1
Component: ImageLib → SVG
OS: Mac OS X → All
QA Contact: imagelib → general
Hardware: x86 → All
Summary: Regression in SVG Images in FF7 → Regression in SVG content generated via DOMParser.parseFromString() in FF7
Version: 7 Branch → Trunk
Assignee | ||
Comment 4•13 years ago
|
||
When the <svg:image> is bound to the tree after that last append, (mStringAttributes[HREF].IsExplicitlySet()) tests false so the load start from BindToTree is skipped.
Assignee | ||
Comment 5•13 years ago
|
||
That used to be a HasAttr() check until bug 617623 (which is in the regression range above) landed.
Assignee | ||
Comment 6•13 years ago
|
||
So what we do right now is explicitly kick off an image load from nsSVGImageElement::AfterSetAttr. This, of course, does nothing in the data document. Robert, should we be changing mStringAttributes[HREF] somewhere here?
Blocks: 617623
Assignee | ||
Comment 7•13 years ago
|
||
OK, so we're coming from nsSVGElement::ParseAttribute and we call nsSVGString::SetBaseValue with aDoSetAttr == false... which never sets mBaseIsSet. That seems wrong.
Comment 8•13 years ago
|
||
(Here's a reference case -- it's the same as the testcase, but with the SVG directly pasted into the html, rather than being generated/inserted via script with DOMParser(). This version renders correctly on my machine.)
Assignee | ||
Comment 9•13 years ago
|
||
Attachment #565327 -
Flags: review?(longsonr)
Assignee | ||
Comment 10•13 years ago
|
||
Daniel, stealing if you don't mind. Robert, how do you feel about that change for aurora and beta?
Assignee: dholbert → bzbarsky
Priority: -- → P1
Assignee | ||
Updated•13 years ago
|
Whiteboard: [need review]
Comment 11•13 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #10) > Daniel, stealing if you don't mind. (please do, thanks!)
Comment 12•13 years ago
|
||
Comment on attachment 565327 [details] [diff] [review] Make sure that SVG animated strings keep track of whether the base value is set correctly. Patch looks correct to me, FWIW -- and I reviewed the original cset that regressed this (sorry for not catching it there!) -- hence, stealing review, so this can get fixed faster. In case it's helpful to anyone else, here's what I just re-verified myself: we skip the SetStringBaseValue call in this case because SetStringBaseValue is effectively a wrapper for nsGenericElement::SetAttr -- and in this case, we're already *inside* of SetAttr. (nsGenericElement::SetAttr calls nsSVGElement::ParseAttribute which calls nsSVGString::SetBaseValue) The actual attribute-setting takes place at the end of nsSVGElement::ParseAttribute -- if (foundMatch) { [..] aResult.SetTo(aValue); So anyway -- we skip the SetStringBaseValue, since we know the attribute-setting is already being handled at a higher level, but we do absolutely still need to keep track of the fact that the value's been set. So, mIsBaseSet does need to be set unconditionally there.
Attachment #565327 -
Flags: review?(longsonr)
Attachment #565327 -
Flags: review+
Updated•13 years ago
|
Whiteboard: [need review]
Updated•13 years ago
|
Attachment #565327 -
Flags: review+
Comment 13•13 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #10) > Robert, how do you feel about that change for aurora and beta? (I'll comment on this as well since I stole review :) This isn't zero-risk, but I think it's targeted enough to be safe for aurora. I would want to audit the callers of nsSVGString::IsExplicitlySet a bit more before rendering an opinion about suitability for beta.)
Updated•13 years ago
|
tracking-firefox8:
--- → ?
tracking-firefox9:
--- → ?
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox7:
--- → affected
status-firefox8:
--- → affected
status-firefox9:
--- → affected
Assignee | ||
Comment 14•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/baa28d3f6296
Flags: in-testsuite+
Target Milestone: --- → mozilla10
Assignee | ||
Comment 15•13 years ago
|
||
Comment on attachment 565327 [details] [diff] [review] Make sure that SVG animated strings keep track of whether the base value is set correctly. OK. I'm going to request approval for both aurora and beta for the moment; I too think this is a clear slam-dunk for aurora and that someone who knows this code better than I should evaluate risk for beta...
Attachment #565327 -
Flags: approval-mozilla-beta?
Attachment #565327 -
Flags: approval-mozilla-aurora?
Comment 16•13 years ago
|
||
The fix is clearly right. No other mIsBaseSet in any other type is dependent on aDoSetAttr so this makes us match integers, enums etc. Looks pretty good value for a 1 line change to me.
Updated•13 years ago
|
Attachment #565327 -
Flags: approval-mozilla-beta?
Attachment #565327 -
Flags: approval-mozilla-beta+
Attachment #565327 -
Flags: approval-mozilla-aurora?
Attachment #565327 -
Flags: approval-mozilla-aurora+
Comment 17•13 years ago
|
||
Yup -- after re-skimming relevant parts of the patch that regressed this, I'm definitely comfortable with taking this on beta. The regressing patch (for bug 617623) replaced some nsSVGElement::HasAttr([string_attribute_name]) calls with calls to nsSVGString::IsExplicitlySet(). (I believe that covers all of the nsSVGString::IsExplicitlySet() calls that exist.) In order for us to preserve old/correct behavior & continue returning true in all cases when HasAttr() would have originally returned true, we definitely need this bug's patch.
Assignee | ||
Comment 18•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/4216dc9744ed https://hg.mozilla.org/releases/mozilla-beta/rev/570515d49188
Assignee | ||
Comment 19•13 years ago
|
||
Jeff, the fix for this should ship in Firefox 8 in about a month...
Comment 20•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/baa28d3f6296
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 21•13 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 Mozilla/5.0 (Windows NT 6.1; rv:9.0a2) Gecko/20111006 Firefox/9.0a2 Mozilla/5.0 (Windows NT 6.1; rv:10.0a1) Gecko/20111006 Firefox/10.0a1 Opening the svg_image_test.html file from bug description displays a blank page. Opening the reference case from comment #8 diplays the Google logo, but also a security warning pup-up ("You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."). In Chrome, both pages display the Google logo with no security warning. Is this the expected behaviour? or can this bug be reopened? Thank you!
I think you're using builds from before these fixes landed ...
Assignee | ||
Comment 23•13 years ago
|
||
Indeed, that is exactly what Mihaela is doing...
Comment 24•13 years ago
|
||
Verified as fixed - google logo is displayed when opening the test pages - on the builds bellow(latest Aurora and Nightly): Mozilla/5.0 (Windows NT 6.1; rv:9.0a2) Gecko/20111009 Firefox/9.0a2 Mozilla/5.0 (Windows NT 6.1; rv:10.0a1) Gecko/20111009 Firefox/10.0a1 Mozilla/5.0 (Windows NT 5.1; rv:9.0a2) Gecko/20111009 Firefox/9.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a2) Gecko/20111009 Firefox/9.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a1) Gecko/20111009 Firefox/10.0a1 Mozilla/5.0 (X11; Linux i686; rv:10.0a1) Gecko/20111009 Firefox/10.0a1 Besides the google logo, a security warning was displayed when opening svg_image_test.html on: Mozilla/5.0 (Windows NT 5.1; rv:10.0a1) Gecko/20111009 Firefox/10.0a1 Mozilla/5.0 (X11; Linux i686; rv:9.0a2) Gecko/20111009 Firefox/9.0a2 Need to verify on Beta (8.0) when a new build will be available.
Whiteboard: [qa+]
Comment 25•13 years ago
|
||
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0 Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0 Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20100101 Firefox/8.0 Verified the fix on Firefox 8 beta 3: the Google logo is displayed. Also, a security warning (the same as in comment #21 and comment #24) was displayed on Mac and Win7 when opening svg_image_test.html. Is this expected?
Comment 26•13 years ago
|
||
Yes, the security warning is expected. (The testcase is loaded over HTTPS, but its Google logo image is referenced using unsecure HTTP, so that warning is to let you know that a man-in-the-middle could be messing with your Google logo.) Thanks for the verification!
Comment 27•13 years ago
|
||
Marking bug as VERIFIED
Status: RESOLVED → VERIFIED
Whiteboard: [qa+] → [qa!]
Comment 28•13 years ago
|
||
---------------------------------[ Triage Comment ]--------------------------------- Marking this as tracking as this was a shipped regression that Google wants us to fix (though they have put in a workaround). The fix has already landed but it doesn't hurt to track to make sure it isn't backed out, etc. We have confirmed that fixing this won't break their workaround as well.
You need to log in
before you can comment on or make changes to this bug.
Description
•